I’m not sure it’s incorrect. To be pedantic, step D represents the start of a new HTTP request, sent to the client application. From a HTTP request/response standpoint, the diagram appears to be accurate.

Agree from the HTTP request/response but when you use it in code, you read ‘oauth_token’ and ‘oauth_verifier’ from a response and use them together with others for a request (step E). Just something to be aware when developing.